Bug 503523
Summary: | certicom token "changepw" fails(however strong password we give) | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Kashyap Chamarthy <kchamart> |
Component: | ECC | Assignee: | Christina Fu <cfu> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 1.1 | CC: | benl, mharmsen, rrelyea |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-22 23:35:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 |
Description
Kashyap Chamarthy
2009-06-01 14:56:54 UTC
with strace: -------------- [root@shine ecc]# strace -o strace.log modutil -dbdir /var/lib/pki-ca/alias/ -changepw "Certicom FIPS Cert/Key Services" ------------------ [root@shine ecc]# tail -30 strace.log ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0 close(6) = 0 munmap(0x2b231c5da000, 4096) = 0 close(7) = 0 munmap(0x2b231c5d9000, 4096) = 0 open("/root/.certicom/sbcp/sbcppri.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = 6 fstat(6, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 close(6) = 0 open("/root/.certicom/sbcp/sbcppri.db/x00", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0 fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0 read(6, "0\202\1\226\2\1\0030\202\1P\6\t*\206H\206\367\r\1\7\1\240\202\1A\4\202\1=0\202"..., 410) = 410 fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0 close(6) = 0 open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory) open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory) write(2, "ERROR: Unable to change password"..., 77) = 77 lseek(3, 0, SEEK_SET) = 0 write(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0@\0\0\0\0\16\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260 close(3) = 0 lseek(4, 0, SEEK_SET) = 0 write(4, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260 close(4) = 0 munmap(0x2b231c21c000, 2407832) ------------------------------- additional info: /root/.certicom/sbcp directory does exist - and it has sbcppri.db , sbcppub.db, sbcpso.db directories. (but not the sbcpuser.db directory) -- when i created the /root/.certicom/sbcp/sbcpuser.db directory and again try to change the token password - no joy there too. First, I do not know why it failed. But I can come up with some thing for you to try. on a 32 bit machine, create the following directory: /root/.certicom/sbcp/sbcpuser.db sftp to gamma, and cd into the directory with the same path, and get the files over to your 32 bit machine. put them under the same path. now try your changepw again. the old password is redhat. just realized one reason this trick would not work. The old certicom dbs I have are from the old certicom lib and the token names are different: token: Certicom Cert/Key Services while the new token has name: token: Certicom FIPS Cert/Key Services I think it's best to ask certicom about it. This is to document what to do once the certicom library is added and initialized (the steps to get to this point will be provided later): edit file /usr/bin/dtomcat5-<instance name> e.g. vim /usr/bin/dtomcat5-pki-ca At the very beginning of the file, right after the line umask 00002 you add export NSS_USE_DECODED_CKA_EC_POINT=1 restart the server. on the client side, at the shell where you wish to start browser, set the same flag: export NSS_USE_DECODED_CKA_EC_POINT=1 start browser, then you need to load the certicom library: go to Edit, Preferences, Advanced, Security Devices, then load the certicom module certicom /usr/lib64/libsbcpgse.so login to the token: Certicom FIPS Cert/Key Services import the agent cert (presumablely you had configed it in another browser, exported the admin cert) now you can access both the ee ssl page and the agent page. Verified. token password can be changed using the sample binary provided from certicom.(but the password("userpassword" is hard-coded in the sample.c) Refer the below bugzilla for configuring CA with certicom ECC module: https://bugzilla.redhat.com/show_bug.cgi?id=507428 |